I am feeling very stupid but I don’t understand the doc and the tutorial.
I am making a SPA (angular). I have installed the angular auth0 sdk. I use the universal login. Then I need to call my backend api with a JWT (not an access token).
1/ Do I need 1 or 2 applications?
2/ Do I need to pass audience in loginWithRedirect? Do I need to pass audience getAccessTokenSilently? Because by default loginWithRedirect has an audience of ‘https://NAME.eu.auth0.com/api/v2/’ and it cannot be used for 2 app…
I got the error “consent is required” as my user auth and consent to “https://NAME.eu.auth0.com/api/v2/” and I will not ask my user to login antoher time for api.
I am very confused as I don’t understand how it works and I am building a fairly simple architecture app.
You need one registered application for your SPA, and one registered API for your API.
You can pass the audience when you initialize the auth module and it will be passed with requests for tokens.
The audience you are using (https://NAME.eu.auth0.com/api/v2/) is for the management API for your tenant. It is an example used in the angular doc, but you shouldn’t use it when you are looking for tokens for your custom API. You need to create an API in the dashboard and use the API Identifier as your audience.
If you want to make management API operations from your backend you will need to create a M2M application for your backend and assign it the correct permissions in the Management API settings.